fix bugs

Author: taskbot

cmd/thv-operator/pkg/controllerutil/tokenexchange.go

@@ -2,7 +2,6 @@ package controllerutil
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
@@ -12,7 +11,6 @@ import (
 	mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
 	"github.com/stacklok/toolhive/pkg/auth/tokenexchange"
 	"github.com/stacklok/toolhive/pkg/runner"
-	transporttypes "github.com/stacklok/toolhive/pkg/transport/types"
 )
 
 // GenerateOpenTelemetryEnvVars generates OpenTelemetry environment variables
@@ -93,7 +91,8 @@ func GenerateTokenExchangeEnvVars(
 }
 
 // AddExternalAuthConfigOptions adds external authentication configuration options to builder options
-// This creates middleware configuration for token exchange and is shared between MCPServer and MCPRemoteProxy
+// This creates token exchange configuration which will be automatically converted to middleware by
+// PopulateMiddlewareConfigs() when the runner starts. This ensures correct middleware ordering.
 func AddExternalAuthConfigOptions(
 	ctx context.Context,
 	c client.Client,
@@ -138,55 +137,27 @@ func AddExternalAuthConfigOptions(
 		}
 	}
 
-	// Use scopes array directly from spec
-	scopes := tokenExchangeSpec.Scopes
-
 	// Determine header strategy based on ExternalTokenHeaderName
 	headerStrategy := "replace" // Default strategy
 	if tokenExchangeSpec.ExternalTokenHeaderName != "" {
 		headerStrategy = "custom"
 	}
 
-	// Build token exchange middleware configuration
+	// Build token exchange configuration
 	// Client secret is provided via TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET environment variable
 	// to avoid embedding plaintext secrets in the ConfigMap
-	tokenExchangeConfig := map[string]interface{}{
-		"token_url": tokenExchangeSpec.TokenURL,
-		"client_id": tokenExchangeSpec.ClientID,
-		"audience":  tokenExchangeSpec.Audience,
-	}
-
-	if len(scopes) > 0 {
-		tokenExchangeConfig["scopes"] = scopes
-	}
-
-	if headerStrategy != "" {
-		tokenExchangeConfig["header_strategy"] = headerStrategy
-	}
-
-	if tokenExchangeSpec.ExternalTokenHeaderName != "" {
-		tokenExchangeConfig["external_token_header_name"] = tokenExchangeSpec.ExternalTokenHeaderName
-	}
-
-	// Create middleware parameters
-	middlewareParams := map[string]interface{}{
-		"token_exchange_config": tokenExchangeConfig,
-	}
-
-	// Marshal parameters to JSON
-	paramsJSON, err := json.Marshal(middlewareParams)
-	if err != nil {
-		return fmt.Errorf("failed to marshal token exchange middleware parameters: %w", err)
-	}
-
-	// Create middleware config
-	middlewareConfig := transporttypes.MiddlewareConfig{
-		Type:       tokenexchange.MiddlewareType,
-		Parameters: json.RawMessage(paramsJSON),
-	}
-
-	// Use WithAppendMiddlewareConfig to append instead of replacing existing middlewares
-	*options = append(*options, runner.WithAppendMiddlewareConfig(middlewareConfig))
+	tokenExchangeConfig := &tokenexchange.Config{
+		TokenURL:                tokenExchangeSpec.TokenURL,
+		ClientID:                tokenExchangeSpec.ClientID,
+		Audience:                tokenExchangeSpec.Audience,
+		Scopes:                  tokenExchangeSpec.Scopes,
+		HeaderStrategy:          headerStrategy,
+		ExternalTokenHeaderName: tokenExchangeSpec.ExternalTokenHeaderName,
+	}
+
+	// Use WithTokenExchangeConfig to add configuration
+	// The middleware will be automatically created by PopulateMiddlewareConfigs() in the correct order
+	*options = append(*options, runner.WithTokenExchangeConfig(tokenExchangeConfig))
 
 	return nil
 }

pkg/runner/config.go

@@ -11,6 +11,7 @@ import (
 	"github.com/stacklok/toolhive/pkg/auth"
 	authoauth "github.com/stacklok/toolhive/pkg/auth/oauth"
 	"github.com/stacklok/toolhive/pkg/auth/remote"
+	"github.com/stacklok/toolhive/pkg/auth/tokenexchange"
 	"github.com/stacklok/toolhive/pkg/authz"
 	"github.com/stacklok/toolhive/pkg/container"
 	rt "github.com/stacklok/toolhive/pkg/container/runtime"
@@ -100,6 +101,9 @@ type RunConfig struct {
 	// OIDCConfig contains OIDC configuration
 	OIDCConfig *auth.TokenValidatorConfig `json:"oidc_config,omitempty" yaml:"oidc_config,omitempty"`
 
+	// TokenExchangeConfig contains token exchange configuration for external authentication
+	TokenExchangeConfig *tokenexchange.Config `json:"token_exchange_config,omitempty" yaml:"token_exchange_config,omitempty"`
+
 	// AuthzConfig contains the authorization configuration
 	AuthzConfig *authz.Config `json:"authz_config,omitempty" yaml:"authz_config,omitempty"`
 

pkg/runner/config_builder.go

@@ -107,14 +107,6 @@ func WithMiddlewareConfig(middlewareConfig []types.MiddlewareConfig) RunConfigBu
 	}
 }
 
-// WithAppendMiddlewareConfig appends a middleware configuration to the existing list
-func WithAppendMiddlewareConfig(middlewareConfig types.MiddlewareConfig) RunConfigBuilderOption {
-	return func(b *runConfigBuilder) error {
-		b.config.MiddlewareConfigs = append(b.config.MiddlewareConfigs, middlewareConfig)
-		return nil
-	}
-}
-
 // WithCmdArgs sets the command arguments
 func WithCmdArgs(args []string) RunConfigBuilderOption {
 	return func(b *runConfigBuilder) error {
@@ -365,6 +357,14 @@ func WithOIDCConfig(
 	}
 }
 
+// WithTokenExchangeConfig sets the token exchange configuration
+func WithTokenExchangeConfig(config *tokenexchange.Config) RunConfigBuilderOption {
+	return func(b *runConfigBuilder) error {
+		b.config.TokenExchangeConfig = config
+		return nil
+	}
+}
+
 // WithTelemetryConfig configures telemetry settings (legacy - custom attributes handled via middleware)
 func WithTelemetryConfig(
 	otelEndpoint string,

pkg/runner/middleware.go

@@ -29,57 +29,68 @@ func GetSupportedMiddlewareFactories() map[string]types.MiddlewareFactory {
 	}
 }
 
-// hasMiddlewareType checks if a middleware of the given type already exists
-func hasMiddlewareType(middlewares []types.MiddlewareConfig, middlewareType string) bool {
-	for _, m := range middlewares {
-		if m.Type == middlewareType {
-			return true
-		}
-	}
-	return false
-}
-
 // PopulateMiddlewareConfigs populates the MiddlewareConfigs slice based on the RunConfig settings
 // This function serves as a bridge between the old configuration style and the new generic middleware system
-// It appends default middlewares to any existing middlewares, avoiding duplicates
+//
+//nolint:gocyclo // Function complexity is acceptable for middleware configuration
 func PopulateMiddlewareConfigs(config *RunConfig) error {
-	// Start with existing middlewares (may already contain operator-provided middlewares)
-	middlewareConfigs := config.MiddlewareConfigs
-	var err error
+	var middlewareConfigs []types.MiddlewareConfig
 	// TODO: Consider extracting other middleware setup into helper functions like addUsageMetricsMiddleware
 
-	// Authentication middleware (add if not already present)
-	if !hasMiddlewareType(middlewareConfigs, auth.MiddlewareType) {
-		authParams := auth.MiddlewareParams{
-			OIDCConfig: config.OIDCConfig,
-		}
-		authConfig, err := types.NewMiddlewareConfig(auth.MiddlewareType, authParams)
-		if err != nil {
-			return fmt.Errorf("failed to create auth middleware config: %w", err)
-		}
-		middlewareConfigs = append(middlewareConfigs, *authConfig)
+	// Authentication middleware (always present)
+	authParams := auth.MiddlewareParams{
+		OIDCConfig: config.OIDCConfig,
+	}
+	authConfig, err := types.NewMiddlewareConfig(auth.MiddlewareType, authParams)
+	if err != nil {
+		return fmt.Errorf("failed to create auth middleware config: %w", err)
 	}
+	middlewareConfigs = append(middlewareConfigs, *authConfig)
 
-	// Tools filter and override middleware (add if enabled and not already present)
-	hasToolFiltering := len(config.ToolsFilter) > 0 || len(config.ToolsOverride) > 0
-	if hasToolFiltering && !hasMiddlewareType(middlewareConfigs, mcp.ToolFilterMiddlewareType) {
-		middlewareConfigs = addToolFilterMiddlewares(
-			middlewareConfigs,
-			config.ToolsFilter,
-			config.ToolsOverride,
-		)
+	// Token exchange middleware (if configured)
+	middlewareConfigs, err = addTokenExchangeMiddleware(middlewareConfigs, config.TokenExchangeConfig)
+	if err != nil {
+		return err
 	}
 
-	// MCP Parser middleware (add if not already present)
-	if !hasMiddlewareType(middlewareConfigs, mcp.ParserMiddlewareType) {
-		mcpParserParams := mcp.ParserMiddlewareParams{}
-		mcpParserConfig, err := types.NewMiddlewareConfig(mcp.ParserMiddlewareType, mcpParserParams)
+	// Tools filter and override middleware (if enabled)
+	if len(config.ToolsFilter) > 0 || len(config.ToolsOverride) > 0 {
+		// Prepare overrides map (convert runner.ToolOverride -> mcp.ToolOverride)
+		overrides := make(map[string]mcp.ToolOverride)
+		for actualName, tool := range config.ToolsOverride {
+			overrides[actualName] = mcp.ToolOverride{
+				Name:        tool.Name,
+				Description: tool.Description,
+			}
+		}
+
+		// Add tool filter middleware with both filter and overrides
+		toolFilterParams := mcp.ToolFilterMiddlewareParams{
+			FilterTools:   config.ToolsFilter,
+			ToolsOverride: overrides,
+		}
+		toolFilterConfig, err := types.NewMiddlewareConfig(mcp.ToolFilterMiddlewareType, toolFilterParams)
+		if err != nil {
+			return fmt.Errorf("failed to create tool filter middleware config: %w", err)
+		}
+		middlewareConfigs = append(middlewareConfigs, *toolFilterConfig)
+
+		// Add tool call filter middleware with same params
+		toolCallFilterConfig, err := types.NewMiddlewareConfig(mcp.ToolCallFilterMiddlewareType, toolFilterParams)
 		if err != nil {
-			return fmt.Errorf("failed to create MCP parser middleware config: %w", err)
+			return fmt.Errorf("failed to create tool call filter middleware config: %w", err)
 		}
-		middlewareConfigs = append(middlewareConfigs, *mcpParserConfig)
+		middlewareConfigs = append(middlewareConfigs, *toolCallFilterConfig)
 	}
 
+	// MCP Parser middleware (always present)
+	mcpParserParams := mcp.ParserMiddlewareParams{}
+	mcpParserConfig, err := types.NewMiddlewareConfig(mcp.ParserMiddlewareType, mcpParserParams)
+	if err != nil {
+		return fmt.Errorf("failed to create MCP parser middleware config: %w", err)
+	}
+	middlewareConfigs = append(middlewareConfigs, *mcpParserConfig)
+
 	// Load application config for global settings
 	configProvider := cfg.NewDefaultProvider()
 	appConfig := configProvider.GetConfig()
@@ -91,31 +102,74 @@ func PopulateMiddlewareConfigs(config *RunConfig) error {
 	}
 
 	// Telemetry middleware (if enabled)
-	middlewareConfigs = addTelemetryMiddleware(
-		middlewareConfigs,
-		config.TelemetryConfig,
-		config.Name,
-		config.Transport.String(),
-	)
+	if config.TelemetryConfig != nil {
+		telemetryParams := telemetry.FactoryMiddlewareParams{
+			Config:     config.TelemetryConfig,
+			ServerName: config.Name,
+			Transport:  config.Transport.String(),
+		}
+		telemetryConfig, err := types.NewMiddlewareConfig(telemetry.MiddlewareType, telemetryParams)
+		if err != nil {
+			return fmt.Errorf("failed to create telemetry middleware config: %w", err)
+		}
+		middlewareConfigs = append(middlewareConfigs, *telemetryConfig)
+	}
 
 	// Authorization middleware (if enabled)
-	middlewareConfigs = addAuthzMiddleware(middlewareConfigs, config.AuthzConfigPath)
+	if config.AuthzConfig != nil {
+		authzParams := authz.FactoryMiddlewareParams{
+			ConfigPath: config.AuthzConfigPath, // Keep for backwards compatibility
+			ConfigData: config.AuthzConfig,     // Use the loaded config data
+		}
+		authzConfig, err := types.NewMiddlewareConfig(authz.MiddlewareType, authzParams)
+		if err != nil {
+			return fmt.Errorf("failed to create authorization middleware config: %w", err)
+		}
+		middlewareConfigs = append(middlewareConfigs, *authzConfig)
+	}
 
 	// Audit middleware (if enabled)
-	enableAudit := config.AuditConfig != nil
-	middlewareConfigs = addAuditMiddleware(
-		middlewareConfigs,
-		enableAudit,
-		config.AuditConfigPath,
-		config.Name,
-		config.Transport.String(),
-	)
+	if config.AuditConfig != nil {
+		auditParams := audit.MiddlewareParams{
+			ConfigPath:    config.AuditConfigPath, // Keep for backwards compatibility
+			ConfigData:    config.AuditConfig,     // Use the loaded config data
+			Component:     config.AuditConfig.Component,
+			TransportType: config.Transport.String(), // Pass the actual transport type
+		}
+		auditConfig, err := types.NewMiddlewareConfig(audit.MiddlewareType, auditParams)
+		if err != nil {
+			return fmt.Errorf("failed to create audit middleware config: %w", err)
+		}
+		middlewareConfigs = append(middlewareConfigs, *auditConfig)
+	}
 
 	// Set the populated middleware configs
 	config.MiddlewareConfigs = middlewareConfigs
 	return nil
 }
 
+// addTokenExchangeMiddleware adds token exchange middleware if configured
+func addTokenExchangeMiddleware(
+	middlewares []types.MiddlewareConfig,
+	tokenExchangeConfig *tokenexchange.Config,
+) ([]types.MiddlewareConfig, error) {
+	if tokenExchangeConfig == nil {
+		return middlewares, nil
+	}
+
+	tokenExchangeParams := tokenexchange.MiddlewareParams{
+		TokenExchangeConfig: tokenExchangeConfig,
+	}
+	tokenExchangeMwConfig, err := types.NewMiddlewareConfig(
+		tokenexchange.MiddlewareType,
+		tokenExchangeParams,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create token exchange middleware config: %w", err)
+	}
+	return append(middlewares, *tokenExchangeMwConfig), nil
+}
+
 // addUsageMetricsMiddleware adds usage metrics middleware if enabled
 func addUsageMetricsMiddleware(middlewares []types.MiddlewareConfig, configDisabled bool) ([]types.MiddlewareConfig, error) {
 	if !usagemetrics.ShouldEnableMetrics(configDisabled) {

pkg/runner/runner.go

@@ -119,11 +119,11 @@ func (c *RunConfig) GetPort() int {
 //
 //nolint:gocyclo // This function is complex but manageable
 func (r *Runner) Run(ctx context.Context) error {
-	// Populate default middlewares from old config fields
-	// This now runs ALWAYS and appends to existing middlewares (avoiding duplicates)
-	// This allows both operator-provided middlewares and default middlewares to coexist
-	if err := PopulateMiddlewareConfigs(r.Config); err != nil {
-		return fmt.Errorf("failed to populate middleware configs: %v", err)
+	// Populate default middlewares from old config fields if not already populated
+	if len(r.Config.MiddlewareConfigs) == 0 {
+		if err := PopulateMiddlewareConfigs(r.Config); err != nil {
+			return fmt.Errorf("failed to populate middleware configs: %v", err)
+		}
 	}
 
 	// Create transport with runtime